Windows Server 2008 TS Gateway Server Step-By-Step Setup Guide

Windows Server 2008 TS Gateway Server Step-By-Step Setup Guide

Microsoft Corporation

Published: December 2007

Modified: December 2007

Abstract

Terminal Services Gateway (TSGateway) is a new role service available to users of the Microsoft WindowsServer®2008 operating system. TSGateway enables authorized remote users to connect to resources on an internal corporate or private network, from any Internet-connected device that can run the Remote Desktop Connection (RDC) client. The internal network resources can be terminal servers, terminal servers running RemoteApp™ programs, or computers with Remote Desktop enabled. TSGateway encapsulates Remote Desktop Protocol (RDP) within RPC, within HTTP over a Secure Sockets Layer (SSL) connection. In this way, TSGateway helps improve security by establishing an encrypted connection between remote users on the Internet and the internal network resources on which their productivity applications run.

This document supports a preliminary release of a software product that may be changed substantially prior to final commercial release, and is the confidential and proprietary information of Microsoft Corporation. It is disclosed pursuant to a non-disclosure agreement between the recipient and Microsoft. This document is provided for informational purposes only and Microsoft makes no warranties, either express or implied, in this document. Information in this document, including URL and other Internet Web site references, is subject to change without notice. The entire risk of the use or the results from the use of this document remains with the user. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

© 2007 Microsoft Corporation. All rights reserved.

Active Directory, Terminal Services, Microsoft, MS-DOS, Visual Basic, Visual Studio, Windows, WindowsNT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

All other trademarks are property of their respective owners.

Contents

Windows Server 2008 TS Gateway Server Step-by-Step Setup Guide 7

TS Gateway Overview 7

Who should use TS Gateway? 8

Benefits of TS Gateway 8

Additional references 9

Prerequisites for TS Gateway 9

Role, role service, and feature dependencies 10

Administrative credentials 11

Special Considerations for TS Gateway 11

TS Gateway server considerations 11

Name resolution issues 11

Device redirection settings not preserved after upgrade to RC0 11

Terminal Services client considerations 12

Automatic reconnection to a TSGateway server might fail after the Terminal Services client comes out of hibernation 12

TSGateway server connection requests from a client running Windows XP with SP2 might fail if a smart card is used for authentication 12

Configuring the TS Gateway Core Scenario 12

System requirements for the TSGateway core scenario 13

Setting up the TSGateway core scenario 14

Connection sequence for the TSGateway core scenario 15

Steps for configuring the TSGateway server for the TSGateway core scenario 16

1. Install the TSGateway role service 17

Verify successful role service installation and TSGateway service status 19

2. Obtain a certificate for the TSGateway server 19

Certificate requirements for TSGateway 20

Using existing certificates 21

Certificate installation and configuration process overview 21

Create a self-signed certificate for TSGateway 23

3. Configure a certificate for the TSGateway server 24

Install a certificate on the TSGateway server 24

Map the TSGateway server certificate 26

Understand authorization policies for TSGateway 26

TSCAPs 26

TSRAPs 27

Security groups and TSGateway-managed computer groups associated with TSRAPs 28

4. Create a TSCAP for the TSGateway server 28

5. Create a TSRAP and specify computers that users can connect to through the TSGateway server 30

6. Limit the maximum number of simultaneous connections through TSGateway (optional) 32

Steps for configuring a Terminal Services client for the TSGateway core scenario 33

1. Install the TSGateway server root certificate in the Trusted Root Certification Authorities Store on the Terminal Services client (optional) 33

2. Configure Remote Desktop Connection settings 35

3. Verify that end-to-end connectivity through TSGateway is functioning correctly 36

Configuring the TS Gateway NAP Scenario 37

System requirements for the TSGateway NAP scenario 38

Setting up the TSGateway NAP scenario 39

Steps for configuring TSGateway for the NAP scenario 40

1. Enable NAP health policy checking on the TSGateway server 41

2. Delete existing TSCAPs and create three new TSCAPs on the TSGateway server 41

3. Configure a Windows Security Health Validator on the TSGateway server 42

4. Create NAP policies on the TSGateway server by using the Configure NAP Wizard 43

Steps for configuring a Terminal Services client as a NAP enforcement client 44

1. Download and run the Terminal Services NAP client configuration command 45

2. Test to confirm that the TSGateway NAP health policy is successfully applied to the Terminal Services client 46

Test for successful blocked connection for NAP-capable client 47

Verify that the NAP health policy blocked the connection 47

Test for successful allowed connection for NAP-capable client 48

Verify that the NAP health policy allowed the connection 49

Test for successful blocked connection for non-NAP capable client 49

Additional references 50

Configuring the TS Gateway ISA Server Scenario 50

System configurations tested for the TSGateway ISA Server scenario 51

Configuring connections between ISA Server and TSGateway server 52

Setting up the TSGateway ISA Server scenario 53

Steps for configuring TSGateway for the ISA Server scenario 53

1. Export the SSL certificate for the TSGateway server and copy it to the ISA Server 54

2. Install the SSL certificate for the TSGateway server on the ISA Server 55

3. Copy and install the TSGateway server root certificate on the ISA Server 57

4. Create a new Web publishing rule on the ISA Server 58

Create a new Web publishing rule for ISA Server2004 58

Create a new Web publishing rule for ISA Server2006 60

5. Enable or disable HTTPS-HTTP bridging on the TSGateway server 62

7. Verify client configuration and test end-to-end connectivity 62

Additional references 63

Monitoring Active Connections Through a TS Gateway Server 63

Specify TSGateway events to log 63

View details about active connections through a TSGateway server 66

Example Script for Validating Certificate Configuration 67

Running the Rpcpingtest example script 68

Example of successful output 68

Rpcping example script 68

Disclaimer 70

Windows Server 2008 TS Gateway Server Step-by-Step Setup Guide

This Step-by-Step Guide describes functionality for the WindowsServer®2008 RC0 release of Terminal Services Gateway (TSGateway).

The following topics are covered in this Step-by-Step Guide:

· TS Gateway Overview

· Prerequisites for TS Gateway

· Special Considerations for TS Gateway

· Configuring the TS Gateway Core Scenario

· Configuring the TS Gateway NAP Scenario

· Configuring the TS Gateway ISA Server Scenario

· Monitoring Active Connections Through a TS Gateway Server

· Example Script for Validating Certificate Configuration

TS Gateway Overview

WindowsServer®2008 Terminal Services Gateway (TSGateway) is a role service that enables authorized remote users to connect to resources on an internal corporate or private network, from any Internet-connected device that can run the Remote Desktop Connection (RDC) client. The network resources can be terminal servers, terminal servers running RemoteApp™ programs, or computers with Remote Desktop enabled.

TSGateway encapsulates Remote Desktop Protocol (RDP) within RPC, within HTTP over a Secure Sockets Layer (SSL) connection. In this way, TSGateway helps improve security by establishing an encrypted connection between remote users on the Internet and the internal network resources on which their productivity applications run.

The procedures in this guide will help you set up a TSGateway server, enabling remote users to access terminal servers, terminal servers running RemoteApp programs, or computers with Remote Desktop enabled on your internal corporate or private network.

Note

After you use the procedures in this guide to set up a TSGateway server, you must also set up clients to use a TSGateway server and verify that the end-to-end connections can be successfully established through TSGateway. For client setup and end-to-end connectivity testing instructions, see the Terminal Services Client Step-by-Step Setup Guide for TS Gateway.

Who should use TS Gateway?

This guide is targeted at these audiences:

· IT administrators, planners, and analysts who are evaluating remote access and mobile solution products

· Enterprise IT architects and designers

· Early adopters

· Security architects who are responsible for implementing trustworthy computing

· IT professionals who are responsible for terminal servers or remote access to desktops

Benefits of TS Gateway

TSGateway provides many benefits, including the following:

· TSGateway enables remote users to connect to internal network resources over the Internet, by using an encrypted connection, without needing to configure virtual private network (VPN) connections.

· TSGateway provides a comprehensive security configuration model that enables you to control access to specific internal network resources. TSGateway provides a point-to-point RDP connection, rather than allowing remote users access to all internal network resources.

· TSGateway enables most remote users to connect to internal network resources that are hosted behind firewalls in private networks and across network address translators (NATs). With TSGateway, you do not need to perform additional configuration for the TSGateway server or clients for this scenario.

In earlier versions of Windows Server, security measures prevented remote users from connecting to internal network resources across firewalls and NATs. This is because port 3389, the port used for RDP connections, is typically blocked for network security purposes. TSGateway transmits RDP traffic to port 443 instead, by using an HTTP Secure Sockets Layer/Transport Layer Security (SSL/TLS) tunnel. Because most corporations open port 443 to enable Internet connectivity, TSGateway takes advantage of this network design to provide remote access connectivity across multiple firewalls.

· The TSGateway Manager snap-in console enables you to configure authorization policies to define conditions that must be met for remote users to connect to internal network resources. For example, you can specify:

· Who can connect to network resources (in other words, the user groups who can connect).

· What network resources (computer groups) users can connect to.

· Whether client computers must be members of Active Directory® security groups.

· Whether device and disk redirection is allowed.

· Whether clients need to use smart card authentication or password authentication, or whether they can use either method.

· You can configure TSGateway servers and Terminal Services clients to use Network Access Protection (NAP) to further enhance security. NAP is a health policy creation, enforcement, and remediation technology that is included in WindowsVista® RTM, Windows Server2008, and the beta versions of WindowsVista Service Pack1 (SP1) and WindowsXP Service Pack3 (SP3). If you are a member of the appropriate Microsoft® Connect Beta program, you can download the beta version of WindowsVistaSP1 or WindowsXPSP3 from MS Connect (http://go.microsoft.com/fwlink/?LinkID=102024).

With NAP, system administrators can enforce health requirements, which can include software requirements, security update requirements, required computer configurations, and other settings.

Note

Computers running Windows Server2008 cannot be used as NAP clients when TSGateway enforces NAP. Only computers running WindowsVista RTM, or the beta versions of WindowsVistaSP1 and WindowsXPSP3 can be used as NAP clients when TSGateway enforces NAP.

· You can use a TSGateway server in conjunction with Microsoft Internet Security and Acceleration (ISA) Server to enhance security. In this scenario, you can host TSGateway servers in a private network rather than a perimeter network (also known as DMZ, demilitarized zone, and screened subnet), and host ISA Server in the perimeter network. Or, ISA Server can serve as an isolation point for either or both ends of the perimeter network. The SSL connection between the Terminal Services client and ISA Server can be terminated at the ISA Server, which is Internet-facing.

· TSGateway Manager provides tools to help you monitor TSGateway connection status, health, and events. By using TSGateway Manager, you can specify events (such as unsuccessful connection attempts to the TSGateway server) that you want to monitor for auditing purposes.

Additional references

· For product support, see the Terminal Services page on the Windows Server2008 TechCenter (http://go.microsoft.com/fwlink/?LinkId=48555).

· To access newsgroups for Terminal Services, see the Terminal Services Community page on the Microsoft TechNet Web site (http://go.microsoft.com/fwlink/?LinkId=85730).

· If you are a beta tester and part of the special Technology Adoption Program (TAP) beta program, you can also contact your appointed Microsoft development team member for assistance.

Prerequisites for TS Gateway

For TSGateway to function correctly, you must meet these prerequisites:

· You must have a server with Windows Server2008 installed.

· You must obtain an SSL certificate for the TSGateway server if you do not have one already. By default, on the TSGateway server, the RPC/HTTP Load Balancing service and the IIS service use Transport Layer Security (TLS) 1.0 to encrypt communications between clients and TSGateway servers over the Internet. For TLS to function correctly, you must install an SSL certificate on the TSGateway server.

Note

You do not need a certification authority (CA) infrastructure within your organization if you can use another method to obtain an externally trusted certificate that meets the requirements for TSGateway. If your company does not maintain a stand-alone CA or an enterprise CA and you do not have a compatible certificate from a trusted public CA, you can create and import a self-signed certificate for your TSGateway server for technical evaluation and testing purposes.